It's considered good practice to remove the version number headers commonly emitted by IIS and ASP.NET applications, you've probably seen these before:
NWebsec helps you suppress almost all of these version headers, i.e. all but the Server: Microsoft-IIS/8.0
NWebsec.Mvc will disable the MVC version header programatically (through a PreApplicationStartMethodAttribute
The NWebsec package will add the following to your web.config to get rid of the AspNet version header:
The X-Powered-By: ASP.NET
header is actually added by the IIS itself. Unfortunately, it doesn't exist in the header collection when any of the ASP.NET events fire in the processing pipeline.
To get rid of the X-Powered-By: ASP.NET
header, NWebsec will add the following to your web.config. This will clear the list of headers added by IIS (except the Server header).
You can install UrlScan to get rid of the Server header. For instructions on how to do it by hand, go read Shhh… don’t let your response headers talk too loudly
. Good luck!